[ptxdist] [PATCH] strongswan: Version bump 5.6.1 -> 5.8.1

mailarchive of the ptxdist mailing list
 help / color / mirror / Atom feed

* [ptxdist] [PATCH] strongswan: Version bump 5.6.1 -> 5.8.1
@ 2019-11-18 12:45 Lars Pedersen
  2019-11-19 12:49 ` [ptxdist] [PATCH v2] " Lars Pedersen
  2019-12-05  9:34 ` Lars Pedersen
  0 siblings, 2 replies; 8+ messages in thread
From: Lars Pedersen @ 2019-11-18 12:45 UTC (permalink / raw)
  To: ptxdist; +Cc: Lars Pedersen

Add swanctl support which replaces the old starter, ipsec and stroke
backend. In this patch swanctl requires systemd.
https://wiki.strongswan.org/projects/strongswan/wiki/Charon-systemd

Use install_glob to install all compiled plugins.

Option to enable strongswan service if systemd is used.

Option to set sysconfdir. Default /etc.

Signed-off-by: Lars Pedersen <lapeddk@gmail.com>
---
 rules/strongswan.in   |  25 ++++++--
 rules/strongswan.make | 129 ++++++++++++++++++------------------------
 2 files changed, 76 insertions(+), 78 deletions(-)

diff --git a/rules/strongswan.in b/rules/strongswan.in
index d0e660c57..651fd86a6 100644
--- a/rules/strongswan.in
+++ b/rules/strongswan.in
@@ -48,10 +48,27 @@ config STRONGSWAN_AFALG
 
 config STRONGSWAN_SYSTEMD_UNIT
 	bool
-	default y
-	# uses old systemd-daemon / libsystemd-journal libs
-	depends on BROKEN
 	depends on INITMETHOD_SYSTEMD
-	prompt "install systemd service file"
+	prompt "install systemd unit file"
+
+config STRONGSWAN_SYSTEMD_UNIT_ENABLE_SERVICE
+	bool
+	depends on STRONGSWAN_SYSTEMD_UNIT
+	prompt "Enable strongswan unit file"
+
+config STRONGSWAN_SWANCTL
+	bool
+	depends on STRONGSWAN_SYSTEMD_UNIT
+	prompt "Use swanctl for configuration"
+	help
+		Swanctl is a new, portable command line utility to configure,
+		control and monitor the IKE daemon charon using the vici interface.
+
+config STRONGSWAN_SYSCONF_DIR
+	string
+	prompt "Sysconf directory"
+	default "/etc"
+	help
+		Override default /etc sysconf directory for strongswan.
 
 endif
diff --git a/rules/strongswan.make b/rules/strongswan.make
index 90db7bef7..3e8c9b827 100644
--- a/rules/strongswan.make
+++ b/rules/strongswan.make
@@ -15,8 +15,8 @@ PACKAGES-$(PTXCONF_STRONGSWAN) += strongswan
 #
 # Paths and names
 #
-STRONGSWAN_VERSION	:= 5.6.1
-STRONGSWAN_MD5		:= cb2241f1b96c524cd15b1c0f50ed9a27
+STRONGSWAN_VERSION	:= 5.8.1
+STRONGSWAN_MD5		:= 5a6b9980cd1ac4fad3c24b55ed960ac9
 STRONGSWAN		:= strongswan-$(STRONGSWAN_VERSION)
 STRONGSWAN_SUFFIX	:= tar.bz2
 STRONGSWAN_URL		:= https://download.strongswan.org/$(STRONGSWAN).$(STRONGSWAN_SUFFIX)
@@ -36,6 +36,7 @@ STRONGSWAN_CONF_OPT	:= \
 	--$(call ptx/endis, PTXCONF_STRONGSWAN_AFALG)-af-alg \
 	--disable-bliss \
 	--disable-blowfish \
+	--disable-botan \
 	--disable-ccm \
 	--disable-chapoly \
 	--enable-cmac \
@@ -54,6 +55,7 @@ STRONGSWAN_CONF_OPT	:= \
 	--enable-nonce \
 	--disable-ntru \
 	--$(call ptx/endis, PTXCONF_STRONGSWAN_OPENSSL)-openssl \
+	--disable-wolfssl \
 	--disable-padlock \
 	--enable-random \
 	--disable-rc2 \
@@ -126,11 +128,9 @@ STRONGSWAN_CONF_OPT	:= \
 	--enable-socket-default \
 	--disable-socket-dynamic \
 	--disable-socket-win \
-	--enable-stroke \
 	--disable-smp \
 	--disable-sql \
 	--disable-uci \
-	--disable-vici \
 	--disable-android-dns \
 	--enable-attr \
 	--disable-attr-sql \
@@ -147,8 +147,6 @@ STRONGSWAN_CONF_OPT	:= \
 	--disable-imv-os \
 	--disable-imc-attestation \
 	--disable-imv-attestation \
-	--disable-imc-swid \
-	--disable-imv-swid \
 	--disable-imc-swima \
 	--disable-imv-swima \
 	--disable-imc-hcd \
@@ -174,14 +172,13 @@ STRONGSWAN_CONF_OPT	:= \
 	--disable-load-tester \
 	--disable-lookip \
 	--disable-radattr \
+	--disable-save-keys \
 	--disable-systime-fix \
 	--disable-test-vectors \
 	--enable-updown \
 	--disable-aikgen \
-	--enable-charon \
 	--disable-cmd \
 	--disable-conftest \
-	--disable-dumm \
 	--disable-fast \
 	--disable-fuzzing \
 	--disable-libipsec \
@@ -190,11 +187,9 @@ STRONGSWAN_CONF_OPT	:= \
 	--disable-medsrv \
 	--disable-nm \
 	--enable-pki \
-	--enable-scepclient \
 	--enable-scripts \
 	--disable-svc \
 	--$(call ptx/endis, PTXCONF_STRONGSWAN_SYSTEMD_UNIT)-systemd \
-	--disable-swanctl \
 	--disable-tkm \
 	--disable-bfd-backtraces \
 	--disable-dbghelp-backtraces \
@@ -221,52 +216,29 @@ STRONGSWAN_CONF_OPT	:= \
 	--enable-dependency-tracking \
 	--enable-shared \
 	--with-ipseclibdir=/usr/lib \
-	--with-systemdsystemunitdir=/usr/lib/systemd/system
+	--with-systemdsystemunitdir=/usr/lib/systemd/system \
+	--sysconfdir=$(PTXCONF_STRONGSWAN_SYSCONF_DIR)
+
+ifdef PTXCONF_STRONGSWAN_SWANCTL
+	STRONGSWAN_CONF_OPT += \
+		--enable-swanctl \
+		--disable-charon \
+		--disable-stroke \
+		--enable-vici \
+		--disable-scepclient
+else
+	STRONGSWAN_CONF_OPT += \
+		--disable-swanctl \
+		--enable-charon \
+		--enable-stroke \
+		--disable-vici \
+		--enable-scepclient
+endif
 
 # ----------------------------------------------------------------------------
 # Target-Install
 # ----------------------------------------------------------------------------
 
-STRONGSWAN_PLUGINS := \
-	libstrongswan-aes.so \
-	libstrongswan-attr.so \
-	libstrongswan-cmac.so \
-	libstrongswan-constraints.so \
-	libstrongswan-dnskey.so \
-	libstrongswan-fips-prf.so \
-	libstrongswan-gcm.so \
-	libstrongswan-gmp.so \
-	libstrongswan-hmac.so \
-	libstrongswan-kernel-netlink.so \
-	libstrongswan-nonce.so \
-	libstrongswan-pem.so \
-	libstrongswan-pgp.so \
-	libstrongswan-pkcs1.so \
-	libstrongswan-pkcs7.so \
-	libstrongswan-pkcs8.so \
-	libstrongswan-pubkey.so \
-	libstrongswan-random.so \
-	libstrongswan-resolve.so \
-	libstrongswan-revocation.so \
-	libstrongswan-sha1.so \
-	libstrongswan-sha2.so \
-	libstrongswan-socket-default.so \
-	libstrongswan-stroke.so \
-	libstrongswan-updown.so \
-	libstrongswan-x509.so \
-	libstrongswan-xauth-generic.so \
-	libstrongswan-xcbc.so
-
-ifdef PTXCONF_STRONGSWAN_LIBCURL
-	STRONGSWAN_PLUGINS += libstrongswan-curl.so
-endif
-ifdef PTXCONF_STRONGSWAN_OPENSSL
-	STRONGSWAN_PLUGINS += libstrongswan-openssl.so
-endif
-ifdef PTXCONF_STRONGSWAN_AFALG
-	STRONGSWAN_PLUGINS += libstrongswan-af-alg.so
-endif
-
 $(STATEDIR)/strongswan.targetinstall:
 	@$(call targetinfo)
 
@@ -276,34 +248,43 @@ $(STATEDIR)/strongswan.targetinstall:
 	@$(call install_fixup, strongswan,AUTHOR,"Christoph Fritz <chf@fritzc.com>")
 	@$(call install_fixup, strongswan,DESCRIPTION,missing)
 
-	@$(call install_alternative, strongswan, 0, 0, 0644, /etc/strongswan.conf)
-
-	@$(call install_copy, strongswan, 0, 0, 0755, -, /usr/sbin/ipsec)
-
-	@$(call install_tree, strongswan, 0, 0, -, /usr/libexec/ipsec)
+ifdef PTXCONF_STRONGSWAN_SYSTEMD_UNIT_ENABLE_SERVICE
+	@$(call install_link, strongswan, ../strongswan.service, \
+		/usr/lib/systemd/system/multi-user.target.wants/strongswan.service)
+endif
 
-	@$(call install_lib, strongswan, 0, 0, 0644, libcharon)
-	@$(call install_lib, strongswan, 0, 0, 0644, libstrongswan)
+	@$(call install_tree, strongswan, 0, 0, -, /usr/bin)
+	@$(call install_glob, strongswan, 0, 0, -, /usr/lib,,*.la)
+	@$(call install_tree, strongswan, 0, 0, -, /usr/libexec)
+	@$(call install_tree, strongswan, 0, 0, -, /usr/sbin)
 
-	@$(foreach plugin, $(STRONGSWAN_PLUGINS), \
-		$(call install_copy, strongswan, 0, 0, 0644, -, \
-			/usr/lib/plugins/$(plugin));)
+	@$(call install_alternative, strongswan, 0, 0, 0644,  $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/strongswan.conf)
 
-ifdef PTXCONF_STRONGSWAN_SYSTEMD_UNIT
-	@$(call install_alternative, strongswan, 0, 0, 0644, \
-		/usr/lib/systemd/system/strongswan.service)
-	@$(call install_link, strongswan, ../strongswan.service, \
-		/usr/lib/systemd/system/multi-user.target.wants/strongswan.service)
+ifdef PTXCONF_STRONGSWAN_SWANCTL
+	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/bliss)
+	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/conf.d)
+	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/ecdsa)
+	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/pkcs12)
+	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/pkcs8)
+	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/private)
+	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/pubkey)
+	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/rsa)
+	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509)
+	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509aa)
+	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509ac)
+	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509ca)
+	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509crl)
+	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509ocsp)
 endif
 
-	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/aacerts)
-	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/acerts)
-	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/cacerts)
-	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/certs)
-	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/crls)
-	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/ocspcerts)
-	@$(call install_copy, strongswan, 0, 0, 0600, /etc/ipsec.d/private)
-	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/reqs)
+	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/aacerts)
+	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/acerts)
+	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/cacerts)
+	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/certs)
+	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/crls)
+	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/ocspcerts)
+	@$(call install_copy, strongswan, 0, 0, 0600, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/private)
+	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/reqs)
 
 	@$(call install_finish, strongswan)
 
-- 
2.23.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [ptxdist] [PATCH v2] strongswan: Version bump 5.6.1 -> 5.8.1
  2019-11-18 12:45 [ptxdist] [PATCH] strongswan: Version bump 5.6.1 -> 5.8.1 Lars Pedersen
@ 2019-11-19 12:49 ` Lars Pedersen
  2019-11-19 14:56   ` Bruno Thomsen
  2019-11-25  6:53   ` Michael Olbrich
  2019-12-05  9:34 ` Lars Pedersen
  1 sibling, 2 replies; 8+ messages in thread
From: Lars Pedersen @ 2019-11-19 12:49 UTC (permalink / raw)
  To: ptxdist; +Cc: Lars Pedersen

Add swanctl support which replaces the old starter, ipsec and stroke
backend. In this patch swanctl requires systemd.
https://wiki.strongswan.org/projects/strongswan/wiki/Charon-systemd

Use install_glob to install all compiled plugins.

Option to enable strongswan service if systemd is used.

Option to set sysconfdir. Default /etc.

Signed-off-by: Lars Pedersen <lapeddk@gmail.com>
---
v2: Missing tree install of strongswan.d directory in sysconf dir.
 rules/strongswan.in   |  25 ++++++--
 rules/strongswan.make | 130 ++++++++++++++++++------------------------
 2 files changed, 77 insertions(+), 78 deletions(-)

diff --git a/rules/strongswan.in b/rules/strongswan.in
index d0e660c57..651fd86a6 100644
--- a/rules/strongswan.in
+++ b/rules/strongswan.in
@@ -48,10 +48,27 @@ config STRONGSWAN_AFALG
 
 config STRONGSWAN_SYSTEMD_UNIT
 	bool
-	default y
-	# uses old systemd-daemon / libsystemd-journal libs
-	depends on BROKEN
 	depends on INITMETHOD_SYSTEMD
-	prompt "install systemd service file"
+	prompt "install systemd unit file"
+
+config STRONGSWAN_SYSTEMD_UNIT_ENABLE_SERVICE
+	bool
+	depends on STRONGSWAN_SYSTEMD_UNIT
+	prompt "Enable strongswan unit file"
+
+config STRONGSWAN_SWANCTL
+	bool
+	depends on STRONGSWAN_SYSTEMD_UNIT
+	prompt "Use swanctl for configuration"
+	help
+		Swanctl is a new, portable command line utility to configure,
+		control and monitor the IKE daemon charon using the vici interface.
+
+config STRONGSWAN_SYSCONF_DIR
+	string
+	prompt "Sysconf directory"
+	default "/etc"
+	help
+		Override default /etc sysconf directory for strongswan.
 
 endif
diff --git a/rules/strongswan.make b/rules/strongswan.make
index 90db7bef7..c0116e286 100644
--- a/rules/strongswan.make
+++ b/rules/strongswan.make
@@ -15,8 +15,8 @@ PACKAGES-$(PTXCONF_STRONGSWAN) += strongswan
 #
 # Paths and names
 #
-STRONGSWAN_VERSION	:= 5.6.1
-STRONGSWAN_MD5		:= cb2241f1b96c524cd15b1c0f50ed9a27
+STRONGSWAN_VERSION	:= 5.8.1
+STRONGSWAN_MD5		:= 5a6b9980cd1ac4fad3c24b55ed960ac9
 STRONGSWAN		:= strongswan-$(STRONGSWAN_VERSION)
 STRONGSWAN_SUFFIX	:= tar.bz2
 STRONGSWAN_URL		:= https://download.strongswan.org/$(STRONGSWAN).$(STRONGSWAN_SUFFIX)
@@ -36,6 +36,7 @@ STRONGSWAN_CONF_OPT	:= \
 	--$(call ptx/endis, PTXCONF_STRONGSWAN_AFALG)-af-alg \
 	--disable-bliss \
 	--disable-blowfish \
+	--disable-botan \
 	--disable-ccm \
 	--disable-chapoly \
 	--enable-cmac \
@@ -54,6 +55,7 @@ STRONGSWAN_CONF_OPT	:= \
 	--enable-nonce \
 	--disable-ntru \
 	--$(call ptx/endis, PTXCONF_STRONGSWAN_OPENSSL)-openssl \
+	--disable-wolfssl \
 	--disable-padlock \
 	--enable-random \
 	--disable-rc2 \
@@ -126,11 +128,9 @@ STRONGSWAN_CONF_OPT	:= \
 	--enable-socket-default \
 	--disable-socket-dynamic \
 	--disable-socket-win \
-	--enable-stroke \
 	--disable-smp \
 	--disable-sql \
 	--disable-uci \
-	--disable-vici \
 	--disable-android-dns \
 	--enable-attr \
 	--disable-attr-sql \
@@ -147,8 +147,6 @@ STRONGSWAN_CONF_OPT	:= \
 	--disable-imv-os \
 	--disable-imc-attestation \
 	--disable-imv-attestation \
-	--disable-imc-swid \
-	--disable-imv-swid \
 	--disable-imc-swima \
 	--disable-imv-swima \
 	--disable-imc-hcd \
@@ -174,14 +172,13 @@ STRONGSWAN_CONF_OPT	:= \
 	--disable-load-tester \
 	--disable-lookip \
 	--disable-radattr \
+	--disable-save-keys \
 	--disable-systime-fix \
 	--disable-test-vectors \
 	--enable-updown \
 	--disable-aikgen \
-	--enable-charon \
 	--disable-cmd \
 	--disable-conftest \
-	--disable-dumm \
 	--disable-fast \
 	--disable-fuzzing \
 	--disable-libipsec \
@@ -190,11 +187,9 @@ STRONGSWAN_CONF_OPT	:= \
 	--disable-medsrv \
 	--disable-nm \
 	--enable-pki \
-	--enable-scepclient \
 	--enable-scripts \
 	--disable-svc \
 	--$(call ptx/endis, PTXCONF_STRONGSWAN_SYSTEMD_UNIT)-systemd \
-	--disable-swanctl \
 	--disable-tkm \
 	--disable-bfd-backtraces \
 	--disable-dbghelp-backtraces \
@@ -221,52 +216,29 @@ STRONGSWAN_CONF_OPT	:= \
 	--enable-dependency-tracking \
 	--enable-shared \
 	--with-ipseclibdir=/usr/lib \
-	--with-systemdsystemunitdir=/usr/lib/systemd/system
+	--with-systemdsystemunitdir=/usr/lib/systemd/system \
+	--sysconfdir=$(PTXCONF_STRONGSWAN_SYSCONF_DIR)
+
+ifdef PTXCONF_STRONGSWAN_SWANCTL
+	STRONGSWAN_CONF_OPT += \
+		--enable-swanctl \
+		--disable-charon \
+		--disable-stroke \
+		--enable-vici \
+		--disable-scepclient
+else
+	STRONGSWAN_CONF_OPT += \
+		--disable-swanctl \
+		--enable-charon \
+		--enable-stroke \
+		--disable-vici \
+		--enable-scepclient
+endif
 
 # ----------------------------------------------------------------------------
 # Target-Install
 # ----------------------------------------------------------------------------
 
-STRONGSWAN_PLUGINS := \
-	libstrongswan-aes.so \
-	libstrongswan-attr.so \
-	libstrongswan-cmac.so \
-	libstrongswan-constraints.so \
-	libstrongswan-dnskey.so \
-	libstrongswan-fips-prf.so \
-	libstrongswan-gcm.so \
-	libstrongswan-gmp.so \
-	libstrongswan-hmac.so \
-	libstrongswan-kernel-netlink.so \
-	libstrongswan-nonce.so \
-	libstrongswan-pem.so \
-	libstrongswan-pgp.so \
-	libstrongswan-pkcs1.so \
-	libstrongswan-pkcs7.so \
-	libstrongswan-pkcs8.so \
-	libstrongswan-pubkey.so \
-	libstrongswan-random.so \
-	libstrongswan-resolve.so \
-	libstrongswan-revocation.so \
-	libstrongswan-sha1.so \
-	libstrongswan-sha2.so \
-	libstrongswan-socket-default.so \
-	libstrongswan-stroke.so \
-	libstrongswan-updown.so \
-	libstrongswan-x509.so \
-	libstrongswan-xauth-generic.so \
-	libstrongswan-xcbc.so
-
-ifdef PTXCONF_STRONGSWAN_LIBCURL
-	STRONGSWAN_PLUGINS += libstrongswan-curl.so
-endif
-ifdef PTXCONF_STRONGSWAN_OPENSSL
-	STRONGSWAN_PLUGINS += libstrongswan-openssl.so
-endif
-ifdef PTXCONF_STRONGSWAN_AFALG
-	STRONGSWAN_PLUGINS += libstrongswan-af-alg.so
-endif
-
 $(STATEDIR)/strongswan.targetinstall:
 	@$(call targetinfo)
 
@@ -276,34 +248,44 @@ $(STATEDIR)/strongswan.targetinstall:
 	@$(call install_fixup, strongswan,AUTHOR,"Christoph Fritz <chf@fritzc.com>")
 	@$(call install_fixup, strongswan,DESCRIPTION,missing)
 
-	@$(call install_alternative, strongswan, 0, 0, 0644, /etc/strongswan.conf)
-
-	@$(call install_copy, strongswan, 0, 0, 0755, -, /usr/sbin/ipsec)
-
-	@$(call install_tree, strongswan, 0, 0, -, /usr/libexec/ipsec)
+ifdef PTXCONF_STRONGSWAN_SYSTEMD_UNIT_ENABLE_SERVICE
+	@$(call install_link, strongswan, ../strongswan.service, \
+		/usr/lib/systemd/system/multi-user.target.wants/strongswan.service)
+endif
 
-	@$(call install_lib, strongswan, 0, 0, 0644, libcharon)
-	@$(call install_lib, strongswan, 0, 0, 0644, libstrongswan)
+	@$(call install_tree, strongswan, 0, 0, -, /usr/bin)
+	@$(call install_glob, strongswan, 0, 0, -, /usr/lib,,*.la)
+	@$(call install_tree, strongswan, 0, 0, -, /usr/libexec)
+	@$(call install_tree, strongswan, 0, 0, -, /usr/sbin)
 
-	@$(foreach plugin, $(STRONGSWAN_PLUGINS), \
-		$(call install_copy, strongswan, 0, 0, 0644, -, \
-			/usr/lib/plugins/$(plugin));)
+	@$(call install_alternative, strongswan, 0, 0, 0644,  $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/strongswan.conf)
 
-ifdef PTXCONF_STRONGSWAN_SYSTEMD_UNIT
-	@$(call install_alternative, strongswan, 0, 0, 0644, \
-		/usr/lib/systemd/system/strongswan.service)
-	@$(call install_link, strongswan, ../strongswan.service, \
-		/usr/lib/systemd/system/multi-user.target.wants/strongswan.service)
+ifdef PTXCONF_STRONGSWAN_SWANCTL
+	@$(call install_tree, strongswan, 0, 0, -, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/strongswan.d)
+	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/bliss)
+	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/conf.d)
+	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/ecdsa)
+	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/pkcs12)
+	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/pkcs8)
+	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/private)
+	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/pubkey)
+	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/rsa)
+	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509)
+	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509aa)
+	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509ac)
+	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509ca)
+	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509crl)
+	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509ocsp)
 endif
 
-	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/aacerts)
-	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/acerts)
-	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/cacerts)
-	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/certs)
-	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/crls)
-	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/ocspcerts)
-	@$(call install_copy, strongswan, 0, 0, 0600, /etc/ipsec.d/private)
-	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/reqs)
+	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/aacerts)
+	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/acerts)
+	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/cacerts)
+	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/certs)
+	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/crls)
+	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/ocspcerts)
+	@$(call install_copy, strongswan, 0, 0, 0600, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/private)
+	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/reqs)
 
 	@$(call install_finish, strongswan)
 
-- 
2.23.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [ptxdist] [PATCH v2] strongswan: Version bump 5.6.1 -> 5.8.1
  2019-11-19 12:49 ` [ptxdist] [PATCH v2] " Lars Pedersen
@ 2019-11-19 14:56   ` Bruno Thomsen
  2019-11-25  6:53   ` Michael Olbrich
  1 sibling, 0 replies; 8+ messages in thread
From: Bruno Thomsen @ 2019-11-19 14:56 UTC (permalink / raw)
  To: ptxdist; +Cc: Lars Pedersen

Hi,

Den tir. 19. nov. 2019 kl. 13.50 skrev Lars Pedersen <lapeddk@gmail.com>:
>
> Add swanctl support which replaces the old starter, ipsec and stroke
> backend. In this patch swanctl requires systemd.
> https://wiki.strongswan.org/projects/strongswan/wiki/Charon-systemd
>
> Use install_glob to install all compiled plugins.
>
> Option to enable strongswan service if systemd is used.
>
> Option to set sysconfdir. Default /etc.
>
> Signed-off-by: Lars Pedersen <lapeddk@gmail.com>

Systemd service and swanctl seems to work fine in version 2.

Tested-by: Bruno Thomsen <bruno.thomsen@gmail.com>

/Bruno

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [ptxdist] [PATCH v2] strongswan: Version bump 5.6.1 -> 5.8.1
  2019-11-19 12:49 ` [ptxdist] [PATCH v2] " Lars Pedersen
  2019-11-19 14:56   ` Bruno Thomsen
@ 2019-11-25  6:53   ` Michael Olbrich
  2019-11-26 10:21     ` Lars Pedersen
  1 sibling, 1 reply; 8+ messages in thread
From: Michael Olbrich @ 2019-11-25  6:53 UTC (permalink / raw)
  To: ptxdist

On Tue, Nov 19, 2019 at 01:49:37PM +0100, Lars Pedersen wrote:
> Add swanctl support which replaces the old starter, ipsec and stroke
> backend. In this patch swanctl requires systemd.
> https://wiki.strongswan.org/projects/strongswan/wiki/Charon-systemd
> 
> Use install_glob to install all compiled plugins.
> 
> Option to enable strongswan service if systemd is used.
> 
> Option to set sysconfdir. Default /etc.
> 
> Signed-off-by: Lars Pedersen <lapeddk@gmail.com>
> ---
> v2: Missing tree install of strongswan.d directory in sysconf dir.
>  rules/strongswan.in   |  25 ++++++--
>  rules/strongswan.make | 130 ++++++++++++++++++------------------------
>  2 files changed, 77 insertions(+), 78 deletions(-)
> 
> diff --git a/rules/strongswan.in b/rules/strongswan.in
> index d0e660c57..651fd86a6 100644
> --- a/rules/strongswan.in
> +++ b/rules/strongswan.in
> @@ -48,10 +48,27 @@ config STRONGSWAN_AFALG
>  
>  config STRONGSWAN_SYSTEMD_UNIT
>  	bool
> -	default y
> -	# uses old systemd-daemon / libsystemd-journal libs
> -	depends on BROKEN
>  	depends on INITMETHOD_SYSTEMD
> -	prompt "install systemd service file"
> +	prompt "install systemd unit file"
> +
> +config STRONGSWAN_SYSTEMD_UNIT_ENABLE_SERVICE
> +	bool
> +	depends on STRONGSWAN_SYSTEMD_UNIT
> +	prompt "Enable strongswan unit file"
> +
> +config STRONGSWAN_SWANCTL
> +	bool
> +	depends on STRONGSWAN_SYSTEMD_UNIT
> +	prompt "Use swanctl for configuration"
> +	help
> +		Swanctl is a new, portable command line utility to configure,
> +		control and monitor the IKE daemon charon using the vici interface.
> +
> +config STRONGSWAN_SYSCONF_DIR
> +	string
> +	prompt "Sysconf directory"
> +	default "/etc"
> +	help
> +		Override default /etc sysconf directory for strongswan.
>  
>  endif
> diff --git a/rules/strongswan.make b/rules/strongswan.make
> index 90db7bef7..c0116e286 100644
> --- a/rules/strongswan.make
> +++ b/rules/strongswan.make
> @@ -15,8 +15,8 @@ PACKAGES-$(PTXCONF_STRONGSWAN) += strongswan
>  #
>  # Paths and names
>  #
> -STRONGSWAN_VERSION	:= 5.6.1
> -STRONGSWAN_MD5		:= cb2241f1b96c524cd15b1c0f50ed9a27
> +STRONGSWAN_VERSION	:= 5.8.1
> +STRONGSWAN_MD5		:= 5a6b9980cd1ac4fad3c24b55ed960ac9
>  STRONGSWAN		:= strongswan-$(STRONGSWAN_VERSION)
>  STRONGSWAN_SUFFIX	:= tar.bz2
>  STRONGSWAN_URL		:= https://download.strongswan.org/$(STRONGSWAN).$(STRONGSWAN_SUFFIX)
> @@ -36,6 +36,7 @@ STRONGSWAN_CONF_OPT	:= \
>  	--$(call ptx/endis, PTXCONF_STRONGSWAN_AFALG)-af-alg \
>  	--disable-bliss \
>  	--disable-blowfish \
> +	--disable-botan \
>  	--disable-ccm \
>  	--disable-chapoly \
>  	--enable-cmac \
> @@ -54,6 +55,7 @@ STRONGSWAN_CONF_OPT	:= \
>  	--enable-nonce \
>  	--disable-ntru \
>  	--$(call ptx/endis, PTXCONF_STRONGSWAN_OPENSSL)-openssl \
> +	--disable-wolfssl \
>  	--disable-padlock \
>  	--enable-random \
>  	--disable-rc2 \
> @@ -126,11 +128,9 @@ STRONGSWAN_CONF_OPT	:= \
>  	--enable-socket-default \
>  	--disable-socket-dynamic \
>  	--disable-socket-win \
> -	--enable-stroke \
>  	--disable-smp \
>  	--disable-sql \
>  	--disable-uci \
> -	--disable-vici \
>  	--disable-android-dns \
>  	--enable-attr \
>  	--disable-attr-sql \
> @@ -147,8 +147,6 @@ STRONGSWAN_CONF_OPT	:= \
>  	--disable-imv-os \
>  	--disable-imc-attestation \
>  	--disable-imv-attestation \
> -	--disable-imc-swid \
> -	--disable-imv-swid \
>  	--disable-imc-swima \
>  	--disable-imv-swima \
>  	--disable-imc-hcd \
> @@ -174,14 +172,13 @@ STRONGSWAN_CONF_OPT	:= \
>  	--disable-load-tester \
>  	--disable-lookip \
>  	--disable-radattr \
> +	--disable-save-keys \
>  	--disable-systime-fix \
>  	--disable-test-vectors \
>  	--enable-updown \
>  	--disable-aikgen \
> -	--enable-charon \
>  	--disable-cmd \
>  	--disable-conftest \
> -	--disable-dumm \
>  	--disable-fast \
>  	--disable-fuzzing \
>  	--disable-libipsec \
> @@ -190,11 +187,9 @@ STRONGSWAN_CONF_OPT	:= \
>  	--disable-medsrv \
>  	--disable-nm \
>  	--enable-pki \
> -	--enable-scepclient \
>  	--enable-scripts \
>  	--disable-svc \
>  	--$(call ptx/endis, PTXCONF_STRONGSWAN_SYSTEMD_UNIT)-systemd \
> -	--disable-swanctl \
>  	--disable-tkm \
>  	--disable-bfd-backtraces \
>  	--disable-dbghelp-backtraces \
> @@ -221,52 +216,29 @@ STRONGSWAN_CONF_OPT	:= \
>  	--enable-dependency-tracking \
>  	--enable-shared \
>  	--with-ipseclibdir=/usr/lib \
> -	--with-systemdsystemunitdir=/usr/lib/systemd/system
> +	--with-systemdsystemunitdir=/usr/lib/systemd/system \
> +	--sysconfdir=$(PTXCONF_STRONGSWAN_SYSCONF_DIR)
> +
> +ifdef PTXCONF_STRONGSWAN_SWANCTL
> +	STRONGSWAN_CONF_OPT += \
> +		--enable-swanctl \
> +		--disable-charon \
> +		--disable-stroke \
> +		--enable-vici \
> +		--disable-scepclient
> +else
> +	STRONGSWAN_CONF_OPT += \
> +		--disable-swanctl \
> +		--enable-charon \
> +		--enable-stroke \
> +		--disable-vici \
> +		--enable-scepclient
> +endif
>  
>  # ----------------------------------------------------------------------------
>  # Target-Install
>  # ----------------------------------------------------------------------------
>  
> -STRONGSWAN_PLUGINS := \
> -	libstrongswan-aes.so \
> -	libstrongswan-attr.so \
> -	libstrongswan-cmac.so \
> -	libstrongswan-constraints.so \
> -	libstrongswan-dnskey.so \
> -	libstrongswan-fips-prf.so \
> -	libstrongswan-gcm.so \
> -	libstrongswan-gmp.so \
> -	libstrongswan-hmac.so \
> -	libstrongswan-kernel-netlink.so \
> -	libstrongswan-nonce.so \
> -	libstrongswan-pem.so \
> -	libstrongswan-pgp.so \
> -	libstrongswan-pkcs1.so \
> -	libstrongswan-pkcs7.so \
> -	libstrongswan-pkcs8.so \
> -	libstrongswan-pubkey.so \
> -	libstrongswan-random.so \
> -	libstrongswan-resolve.so \
> -	libstrongswan-revocation.so \
> -	libstrongswan-sha1.so \
> -	libstrongswan-sha2.so \
> -	libstrongswan-socket-default.so \
> -	libstrongswan-stroke.so \
> -	libstrongswan-updown.so \
> -	libstrongswan-x509.so \
> -	libstrongswan-xauth-generic.so \
> -	libstrongswan-xcbc.so
> -
> -ifdef PTXCONF_STRONGSWAN_LIBCURL
> -	STRONGSWAN_PLUGINS += libstrongswan-curl.so
> -endif
> -ifdef PTXCONF_STRONGSWAN_OPENSSL
> -	STRONGSWAN_PLUGINS += libstrongswan-openssl.so
> -endif
> -ifdef PTXCONF_STRONGSWAN_AFALG
> -	STRONGSWAN_PLUGINS += libstrongswan-af-alg.so
> -endif
> -
>  $(STATEDIR)/strongswan.targetinstall:
>  	@$(call targetinfo)
>  
> @@ -276,34 +248,44 @@ $(STATEDIR)/strongswan.targetinstall:
>  	@$(call install_fixup, strongswan,AUTHOR,"Christoph Fritz <chf@fritzc.com>")
>  	@$(call install_fixup, strongswan,DESCRIPTION,missing)
>  
> -	@$(call install_alternative, strongswan, 0, 0, 0644, /etc/strongswan.conf)
> -
> -	@$(call install_copy, strongswan, 0, 0, 0755, -, /usr/sbin/ipsec)
> -
> -	@$(call install_tree, strongswan, 0, 0, -, /usr/libexec/ipsec)
> +ifdef PTXCONF_STRONGSWAN_SYSTEMD_UNIT_ENABLE_SERVICE
> +	@$(call install_link, strongswan, ../strongswan.service, \
> +		/usr/lib/systemd/system/multi-user.target.wants/strongswan.service)
> +endif
>  
> -	@$(call install_lib, strongswan, 0, 0, 0644, libcharon)
> -	@$(call install_lib, strongswan, 0, 0, 0644, libstrongswan)
> +	@$(call install_tree, strongswan, 0, 0, -, /usr/bin)
> +	@$(call install_glob, strongswan, 0, 0, -, /usr/lib,,*.la)
> +	@$(call install_tree, strongswan, 0, 0, -, /usr/libexec)
> +	@$(call install_tree, strongswan, 0, 0, -, /usr/sbin)

No, we deliberately install the files explicitly. For shared libraries,
this ensures that only the necessary links are installed.
For all other files, this makes sure that we notice issues with the build
configuration.

Also, my check scripts noticed, that /usr/libexec/ipsec/xfrmi uses
libstrongswan-kernel-netlink.so but is missing the correct rpath for this.
It's in /usr/lib/plugins so not found by default.

This can happen in ptxdist because we do tricks with the rpath to avoid
paths to the build tree. Pulseaudio has the same problem. Take a look how
it's handled there.

Michael

>  
> -	@$(foreach plugin, $(STRONGSWAN_PLUGINS), \
> -		$(call install_copy, strongswan, 0, 0, 0644, -, \
> -			/usr/lib/plugins/$(plugin));)
> +	@$(call install_alternative, strongswan, 0, 0, 0644,  $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/strongswan.conf)
>  
> -ifdef PTXCONF_STRONGSWAN_SYSTEMD_UNIT
> -	@$(call install_alternative, strongswan, 0, 0, 0644, \
> -		/usr/lib/systemd/system/strongswan.service)
> -	@$(call install_link, strongswan, ../strongswan.service, \
> -		/usr/lib/systemd/system/multi-user.target.wants/strongswan.service)
> +ifdef PTXCONF_STRONGSWAN_SWANCTL
> +	@$(call install_tree, strongswan, 0, 0, -, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/strongswan.d)
> +	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/bliss)
> +	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/conf.d)
> +	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/ecdsa)
> +	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/pkcs12)
> +	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/pkcs8)
> +	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/private)
> +	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/pubkey)
> +	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/rsa)
> +	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509)
> +	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509aa)
> +	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509ac)
> +	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509ca)
> +	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509crl)
> +	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509ocsp)
>  endif
>  
> -	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/aacerts)
> -	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/acerts)
> -	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/cacerts)
> -	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/certs)
> -	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/crls)
> -	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/ocspcerts)
> -	@$(call install_copy, strongswan, 0, 0, 0600, /etc/ipsec.d/private)
> -	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/reqs)
> +	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/aacerts)
> +	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/acerts)
> +	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/cacerts)
> +	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/certs)
> +	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/crls)
> +	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/ocspcerts)
> +	@$(call install_copy, strongswan, 0, 0, 0600, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/private)
> +	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/reqs)
>  
>  	@$(call install_finish, strongswan)
>  
> -- 
> 2.23.0
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [ptxdist] [PATCH v2] strongswan: Version bump 5.6.1 -> 5.8.1
  2019-11-25  6:53   ` Michael Olbrich
@ 2019-11-26 10:21     ` Lars Pedersen
  2019-11-28 16:21       ` Michael Olbrich
  0 siblings, 1 reply; 8+ messages in thread
From: Lars Pedersen @ 2019-11-26 10:21 UTC (permalink / raw)
  To: ptxdist

Thanks for the review.

On Mon, 25 Nov 2019 at 07:53, Michael Olbrich <m.olbrich@pengutronix.de> wrote:
>
> > -     @$(call install_lib, strongswan, 0, 0, 0644, libcharon)
> > -     @$(call install_lib, strongswan, 0, 0, 0644, libstrongswan)
> > +     @$(call install_tree, strongswan, 0, 0, -, /usr/bin)
> > +     @$(call install_glob, strongswan, 0, 0, -, /usr/lib,,*.la)
> > +     @$(call install_tree, strongswan, 0, 0, -, /usr/libexec)
> > +     @$(call install_tree, strongswan, 0, 0, -, /usr/sbin)
>
> No, we deliberately install the files explicitly. For shared libraries,
> this ensures that only the necessary links are installed.
> For all other files, this makes sure that we notice issues with the build
> configuration.
>
> Also, my check scripts noticed, that /usr/libexec/ipsec/xfrmi uses
> libstrongswan-kernel-netlink.so but is missing the correct rpath for this.
> It's in /usr/lib/plugins so not found by default.
>
> This can happen in ptxdist because we do tricks with the rpath to avoid
> paths to the build tree. Pulseaudio has the same problem. Take a look how
> it's handled there.
>

So basically you want the install_glob of libraries to be reverted
back into installing them all in a for loop using install_lib like
before?

I'm unsure about the rpath for xfrmi. The paths looks similar using
readelf if I compare it with the starter executable in the same dir.
What does your script output? The xfrmi is a new executable in
strongswan for policy based routing.

$readelf -a xfrmi
...
Dynamic section at offset 0x1e38 contains 32 entries:
  Tag        Type                         Name/Value
 0x00000001 (NEEDED)                     Shared library:
[libstrongswan-kernel-netlink.so]
 0x00000001 (NEEDED)                     Shared library: [libstrongswan.so.0]
 0x00000001 (NEEDED)                     Shared library: [libcharon.so.0]
 0x00000001 (NEEDED)                     Shared library: [libc.so.6]
 0x00000001 (NEEDED)                     Shared library: [ld-linux.so.3]
...

/Lars Pedersen

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [ptxdist] [PATCH v2] strongswan: Version bump 5.6.1 -> 5.8.1
  2019-11-26 10:21     ` Lars Pedersen
@ 2019-11-28 16:21       ` Michael Olbrich
  0 siblings, 0 replies; 8+ messages in thread
From: Michael Olbrich @ 2019-11-28 16:21 UTC (permalink / raw)
  To: ptxdist

On Tue, Nov 26, 2019 at 11:21:41AM +0100, Lars Pedersen wrote:
> Thanks for the review.
> 
> On Mon, 25 Nov 2019 at 07:53, Michael Olbrich <m.olbrich@pengutronix.de> wrote:
> >
> > > -     @$(call install_lib, strongswan, 0, 0, 0644, libcharon)
> > > -     @$(call install_lib, strongswan, 0, 0, 0644, libstrongswan)
> > > +     @$(call install_tree, strongswan, 0, 0, -, /usr/bin)
> > > +     @$(call install_glob, strongswan, 0, 0, -, /usr/lib,,*.la)
> > > +     @$(call install_tree, strongswan, 0, 0, -, /usr/libexec)
> > > +     @$(call install_tree, strongswan, 0, 0, -, /usr/sbin)
> >
> > No, we deliberately install the files explicitly. For shared libraries,
> > this ensures that only the necessary links are installed.
> > For all other files, this makes sure that we notice issues with the build
> > configuration.
> >
> > Also, my check scripts noticed, that /usr/libexec/ipsec/xfrmi uses
> > libstrongswan-kernel-netlink.so but is missing the correct rpath for this.
> > It's in /usr/lib/plugins so not found by default.
> >
> > This can happen in ptxdist because we do tricks with the rpath to avoid
> > paths to the build tree. Pulseaudio has the same problem. Take a look how
> > it's handled there.
> >
> 
> So basically you want the install_glob of libraries to be reverted
> back into installing them all in a for loop using install_lib like
> before?

exactly.

> I'm unsure about the rpath for xfrmi. The paths looks similar using
> readelf if I compare it with the starter executable in the same dir.
> What does your script output? The xfrmi is a new executable in
> strongswan for policy based routing.
> 
> $readelf -a xfrmi
> ...
> Dynamic section at offset 0x1e38 contains 32 entries:
>   Tag        Type                         Name/Value
>  0x00000001 (NEEDED)                     Shared library:
> [libstrongswan-kernel-netlink.so]

This library is in a non-standard directory, so it won't be found by ld.so.
If you try to execute this xfrmi on the target you should get a 'file not
found' error or something like that.

To fix this, an rpath for /usr/lib/plugins (the directory containing this
lib) must be added.

Pulseaudio has the same problem (with two dirs instead of one).

Michael

>  0x00000001 (NEEDED)                     Shared library: [libstrongswan.so.0]
>  0x00000001 (NEEDED)                     Shared library: [libcharon.so.0]
>  0x00000001 (NEEDED)                     Shared library: [libc.so.6]
>  0x00000001 (NEEDED)                     Shared library: [ld-linux.so.3]
> ...
> 
> /Lars Pedersen
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [ptxdist] [PATCH v2] strongswan: Version bump 5.6.1 -> 5.8.1
  2019-11-18 12:45 [ptxdist] [PATCH] strongswan: Version bump 5.6.1 -> 5.8.1 Lars Pedersen
  2019-11-19 12:49 ` [ptxdist] [PATCH v2] " Lars Pedersen
@ 2019-12-05  9:34 ` Lars Pedersen
  2019-12-05 15:45   ` Michael Olbrich
  1 sibling, 1 reply; 8+ messages in thread
From: Lars Pedersen @ 2019-12-05  9:34 UTC (permalink / raw)
  To: ptxdist; +Cc: Lars Pedersen

Add swanctl support which replaces the old starter, ipsec and stroke
backend. In this patch swanctl requires systemd.
https://wiki.strongswan.org/projects/strongswan/wiki/Charon-systemd

Option to enable strongswan service if systemd is used.

Option to set sysconfdir. Default /etc.

Signed-off-by: Lars Pedersen <lapeddk@gmail.com>
---
v2:
- Install_lib and plugins installed like before
- Set rpath to /usr/lib/plugins
- Add license_files field

 rules/strongswan.in   | 25 ++++++++++--
 rules/strongswan.make | 91 ++++++++++++++++++++++++++++---------------
 2 files changed, 81 insertions(+), 35 deletions(-)

diff --git a/rules/strongswan.in b/rules/strongswan.in
index d0e660c57..5bcef7d8d 100644
--- a/rules/strongswan.in
+++ b/rules/strongswan.in
@@ -48,10 +48,27 @@ config STRONGSWAN_AFALG
 
 config STRONGSWAN_SYSTEMD_UNIT
 	bool
-	default y
-	# uses old systemd-daemon / libsystemd-journal libs
-	depends on BROKEN
 	depends on INITMETHOD_SYSTEMD
-	prompt "install systemd service file"
+	prompt "install systemd unit file"
+
+config STRONGSWAN_SYSTEMD_UNIT_ENABLE_SERVICE
+	bool
+	depends on STRONGSWAN_SYSTEMD_UNIT
+	prompt "Enable strongswan unit file"
+
+config STRONGSWAN_SWANCTL
+	bool
+	depends on STRONGSWAN_SYSTEMD_UNIT
+	prompt "Use swanctl for configuration"
+	help
+	  Swanctl is a new, portable command line utility to configure,
+	  control and monitor the IKE daemon charon using the vici interface.
+
+config STRONGSWAN_SYSCONF_DIR
+	string
+	prompt "Sysconf directory"
+	default "/etc"
+	help
+	  Override default /etc sysconf directory for strongswan.
 
 endif
diff --git a/rules/strongswan.make b/rules/strongswan.make
index 90db7bef7..e5ecac591 100644
--- a/rules/strongswan.make
+++ b/rules/strongswan.make
@@ -15,14 +15,17 @@ PACKAGES-$(PTXCONF_STRONGSWAN) += strongswan
 #
 # Paths and names
 #
-STRONGSWAN_VERSION	:= 5.6.1
-STRONGSWAN_MD5		:= cb2241f1b96c524cd15b1c0f50ed9a27
+STRONGSWAN_VERSION	:= 5.8.1
+STRONGSWAN_MD5		:= 5a6b9980cd1ac4fad3c24b55ed960ac9
 STRONGSWAN		:= strongswan-$(STRONGSWAN_VERSION)
 STRONGSWAN_SUFFIX	:= tar.bz2
 STRONGSWAN_URL		:= https://download.strongswan.org/$(STRONGSWAN).$(STRONGSWAN_SUFFIX)
 STRONGSWAN_SOURCE	:= $(SRCDIR)/$(STRONGSWAN).$(STRONGSWAN_SUFFIX)
 STRONGSWAN_DIR		:= $(BUILDDIR)/$(STRONGSWAN)
 STRONGSWAN_LICENSE	:= GPL
+STRONGSWAN_LICENSE_FILES	:= \
+	file://LICENSE;md5=7744b64eaadabebdfd17e8a5ae6c9855 \
+	file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263
 
 # ----------------------------------------------------------------------------
 # Prepare
@@ -36,6 +39,7 @@ STRONGSWAN_CONF_OPT	:= \
 	--$(call ptx/endis, PTXCONF_STRONGSWAN_AFALG)-af-alg \
 	--disable-bliss \
 	--disable-blowfish \
+	--disable-botan \
 	--disable-ccm \
 	--disable-chapoly \
 	--enable-cmac \
@@ -54,6 +58,7 @@ STRONGSWAN_CONF_OPT	:= \
 	--enable-nonce \
 	--disable-ntru \
 	--$(call ptx/endis, PTXCONF_STRONGSWAN_OPENSSL)-openssl \
+	--disable-wolfssl \
 	--disable-padlock \
 	--enable-random \
 	--disable-rc2 \
@@ -126,11 +131,11 @@ STRONGSWAN_CONF_OPT	:= \
 	--enable-socket-default \
 	--disable-socket-dynamic \
 	--disable-socket-win \
-	--enable-stroke \
+	--$(call ptx/disen, PTXCONF_STRONGSWAN_SWANCTL)-stroke \
 	--disable-smp \
 	--disable-sql \
 	--disable-uci \
-	--disable-vici \
+	--$(call ptx/endis, PTXCONF_STRONGSWAN_SWANCTL)-vici \
 	--disable-android-dns \
 	--enable-attr \
 	--disable-attr-sql \
@@ -147,8 +152,6 @@ STRONGSWAN_CONF_OPT	:= \
 	--disable-imv-os \
 	--disable-imc-attestation \
 	--disable-imv-attestation \
-	--disable-imc-swid \
-	--disable-imv-swid \
 	--disable-imc-swima \
 	--disable-imv-swima \
 	--disable-imc-hcd \
@@ -174,14 +177,14 @@ STRONGSWAN_CONF_OPT	:= \
 	--disable-load-tester \
 	--disable-lookip \
 	--disable-radattr \
+	--disable-save-keys \
 	--disable-systime-fix \
 	--disable-test-vectors \
 	--enable-updown \
 	--disable-aikgen \
-	--enable-charon \
+	--$(call ptx/disen, PTXCONF_STRONGSWAN_SWANCTL)-charon \
 	--disable-cmd \
 	--disable-conftest \
-	--disable-dumm \
 	--disable-fast \
 	--disable-fuzzing \
 	--disable-libipsec \
@@ -190,11 +193,10 @@ STRONGSWAN_CONF_OPT	:= \
 	--disable-medsrv \
 	--disable-nm \
 	--enable-pki \
-	--enable-scepclient \
+	--$(call ptx/disen, PTXCONF_STRONGSWAN_SWANCTL)-scepclient \
 	--enable-scripts \
 	--disable-svc \
 	--$(call ptx/endis, PTXCONF_STRONGSWAN_SYSTEMD_UNIT)-systemd \
-	--disable-swanctl \
 	--disable-tkm \
 	--disable-bfd-backtraces \
 	--disable-dbghelp-backtraces \
@@ -220,8 +222,12 @@ STRONGSWAN_CONF_OPT	:= \
 	--disable-defaults \
 	--enable-dependency-tracking \
 	--enable-shared \
+	--$(call ptx/endis, PTXCONF_STRONGSWAN_SWANCTL)-swanctl \
 	--with-ipseclibdir=/usr/lib \
-	--with-systemdsystemunitdir=/usr/lib/systemd/system
+	--with-systemdsystemunitdir=/usr/lib/systemd/system \
+	--sysconfdir=$(PTXCONF_STRONGSWAN_SYSCONF_DIR)
+
+STRONGSWAN_LDFLAGS	:= -Wl,-rpath,/usr/lib/plugins
 
 # ----------------------------------------------------------------------------
 # Target-Install
@@ -251,12 +257,17 @@ STRONGSWAN_PLUGINS := \
 	libstrongswan-sha1.so \
 	libstrongswan-sha2.so \
 	libstrongswan-socket-default.so \
-	libstrongswan-stroke.so \
 	libstrongswan-updown.so \
 	libstrongswan-x509.so \
 	libstrongswan-xauth-generic.so \
 	libstrongswan-xcbc.so
 
+ifdef PTXCONF_STRONGSWAN_SWANCTL
+	STRONGSWAN_PLUGINS += libstrongswan-vici.so
+else
+	STRONGSWAN_PLUGINS += libstrongswan-stroke.so
+endif
+
 ifdef PTXCONF_STRONGSWAN_LIBCURL
 	STRONGSWAN_PLUGINS += libstrongswan-curl.so
 endif
@@ -267,6 +278,7 @@ ifdef PTXCONF_STRONGSWAN_AFALG
 	STRONGSWAN_PLUGINS += libstrongswan-af-alg.so
 endif
 
+
 $(STATEDIR)/strongswan.targetinstall:
 	@$(call targetinfo)
 
@@ -276,34 +288,51 @@ $(STATEDIR)/strongswan.targetinstall:
 	@$(call install_fixup, strongswan,AUTHOR,"Christoph Fritz <chf@fritzc.com>")
 	@$(call install_fixup, strongswan,DESCRIPTION,missing)
 
-	@$(call install_alternative, strongswan, 0, 0, 0644, /etc/strongswan.conf)
-
-	@$(call install_copy, strongswan, 0, 0, 0755, -, /usr/sbin/ipsec)
+ifdef PTXCONF_STRONGSWAN_SYSTEMD_UNIT_ENABLE_SERVICE
+	@$(call install_link, strongswan, ../strongswan.service, \
+		/usr/lib/systemd/system/multi-user.target.wants/strongswan.service)
+endif
 
-	@$(call install_tree, strongswan, 0, 0, -, /usr/libexec/ipsec)
+	@$(call install_tree, strongswan, 0, 0, -, /usr/bin)
+	@$(call install_tree, strongswan, 0, 0, -, /usr/libexec)
+	@$(call install_tree, strongswan, 0, 0, -, /usr/sbin)
 
 	@$(call install_lib, strongswan, 0, 0, 0644, libcharon)
 	@$(call install_lib, strongswan, 0, 0, 0644, libstrongswan)
 
 	@$(foreach plugin, $(STRONGSWAN_PLUGINS), \
-		$(call install_copy, strongswan, 0, 0, 0644, -, \
-			/usr/lib/plugins/$(plugin));)
+	$(call install_copy, strongswan, 0, 0, 0644, -, \
+		/usr/lib/plugins/$(plugin));)
 
-ifdef PTXCONF_STRONGSWAN_SYSTEMD_UNIT
-	@$(call install_alternative, strongswan, 0, 0, 0644, \
-		/usr/lib/systemd/system/strongswan.service)
-	@$(call install_link, strongswan, ../strongswan.service, \
-		/usr/lib/systemd/system/multi-user.target.wants/strongswan.service)
+	@$(call install_alternative, strongswan, 0, 0, 0644,  $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/strongswan.conf)
+
+ifdef PTXCONF_STRONGSWAN_SWANCTL
+	@$(call install_lib, strongswan, 0, 0, 0644, libvici)
+	@$(call install_tree, strongswan, 0, 0, -, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/strongswan.d)
+	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/bliss)
+	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/conf.d)
+	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/ecdsa)
+	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/pkcs12)
+	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/pkcs8)
+	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/private)
+	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/pubkey)
+	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/rsa)
+	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509)
+	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509aa)
+	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509ac)
+	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509ca)
+	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509crl)
+	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509ocsp)
 endif
 
-	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/aacerts)
-	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/acerts)
-	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/cacerts)
-	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/certs)
-	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/crls)
-	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/ocspcerts)
-	@$(call install_copy, strongswan, 0, 0, 0600, /etc/ipsec.d/private)
-	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/reqs)
+	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/aacerts)
+	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/acerts)
+	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/cacerts)
+	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/certs)
+	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/crls)
+	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/ocspcerts)
+	@$(call install_copy, strongswan, 0, 0, 0600, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/private)
+	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/reqs)
 
 	@$(call install_finish, strongswan)
 
-- 
2.23.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [ptxdist] [PATCH v2] strongswan: Version bump 5.6.1 -> 5.8.1
  2019-12-05  9:34 ` Lars Pedersen
@ 2019-12-05 15:45   ` Michael Olbrich
  0 siblings, 0 replies; 8+ messages in thread
From: Michael Olbrich @ 2019-12-05 15:45 UTC (permalink / raw)
  To: ptxdist

On Thu, Dec 05, 2019 at 10:34:26AM +0100, Lars Pedersen wrote:
> Add swanctl support which replaces the old starter, ipsec and stroke
> backend. In this patch swanctl requires systemd.
> https://wiki.strongswan.org/projects/strongswan/wiki/Charon-systemd
> 
> Option to enable strongswan service if systemd is used.
> 
> Option to set sysconfdir. Default /etc.
> 
> Signed-off-by: Lars Pedersen <lapeddk@gmail.com>
> ---
> v2:
> - Install_lib and plugins installed like before
> - Set rpath to /usr/lib/plugins
> - Add license_files field
> 
>  rules/strongswan.in   | 25 ++++++++++--
>  rules/strongswan.make | 91 ++++++++++++++++++++++++++++---------------
>  2 files changed, 81 insertions(+), 35 deletions(-)
> 
> diff --git a/rules/strongswan.in b/rules/strongswan.in
> index d0e660c57..5bcef7d8d 100644
> --- a/rules/strongswan.in
> +++ b/rules/strongswan.in
> @@ -48,10 +48,27 @@ config STRONGSWAN_AFALG
>  
>  config STRONGSWAN_SYSTEMD_UNIT
>  	bool
> -	default y

keep the default.

> -	# uses old systemd-daemon / libsystemd-journal libs
> -	depends on BROKEN
>  	depends on INITMETHOD_SYSTEMD
> -	prompt "install systemd service file"
> +	prompt "install systemd unit file"

Why change this? It's a service.

> +
> +config STRONGSWAN_SYSTEMD_UNIT_ENABLE_SERVICE
> +	bool
> +	depends on STRONGSWAN_SYSTEMD_UNIT
> +	prompt "Enable strongswan unit file"

No, why install the unit but not enable it?

> +
> +config STRONGSWAN_SWANCTL
> +	bool
> +	depends on STRONGSWAN_SYSTEMD_UNIT

Why the dependency?

> +	prompt "Use swanctl for configuration"
> +	help
> +	  Swanctl is a new, portable command line utility to configure,
> +	  control and monitor the IKE daemon charon using the vici interface.
> +
> +config STRONGSWAN_SYSCONF_DIR
> +	string
> +	prompt "Sysconf directory"
> +	default "/etc"
> +	help
> +	  Override default /etc sysconf directory for strongswan.

No. I don't want something like this configurable in PTXdist upstream.
If you need to move this elsewhere, then there are other ways to do this.

E.g. create /dev/null links[1] for all the config files in projectroot/ and
create a symlink for /etc/ipsec.d that points to your directory.


[1] https://www.ptxdist.org/doc/ref_manual.html#install-alternative

>  endif
> diff --git a/rules/strongswan.make b/rules/strongswan.make
> index 90db7bef7..e5ecac591 100644
> --- a/rules/strongswan.make
> +++ b/rules/strongswan.make
> @@ -15,14 +15,17 @@ PACKAGES-$(PTXCONF_STRONGSWAN) += strongswan
>  #
>  # Paths and names
>  #
> -STRONGSWAN_VERSION	:= 5.6.1
> -STRONGSWAN_MD5		:= cb2241f1b96c524cd15b1c0f50ed9a27
> +STRONGSWAN_VERSION	:= 5.8.1
> +STRONGSWAN_MD5		:= 5a6b9980cd1ac4fad3c24b55ed960ac9
>  STRONGSWAN		:= strongswan-$(STRONGSWAN_VERSION)
>  STRONGSWAN_SUFFIX	:= tar.bz2
>  STRONGSWAN_URL		:= https://download.strongswan.org/$(STRONGSWAN).$(STRONGSWAN_SUFFIX)
>  STRONGSWAN_SOURCE	:= $(SRCDIR)/$(STRONGSWAN).$(STRONGSWAN_SUFFIX)
>  STRONGSWAN_DIR		:= $(BUILDDIR)/$(STRONGSWAN)
>  STRONGSWAN_LICENSE	:= GPL
> +STRONGSWAN_LICENSE_FILES	:= \
> +	file://LICENSE;md5=7744b64eaadabebdfd17e8a5ae6c9855 \
> +	file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263
>  
>  # ----------------------------------------------------------------------------
>  # Prepare
> @@ -36,6 +39,7 @@ STRONGSWAN_CONF_OPT	:= \
>  	--$(call ptx/endis, PTXCONF_STRONGSWAN_AFALG)-af-alg \
>  	--disable-bliss \
>  	--disable-blowfish \
> +	--disable-botan \
>  	--disable-ccm \
>  	--disable-chapoly \
>  	--enable-cmac \
> @@ -54,6 +58,7 @@ STRONGSWAN_CONF_OPT	:= \
>  	--enable-nonce \
>  	--disable-ntru \
>  	--$(call ptx/endis, PTXCONF_STRONGSWAN_OPENSSL)-openssl \
> +	--disable-wolfssl \
>  	--disable-padlock \
>  	--enable-random \
>  	--disable-rc2 \
> @@ -126,11 +131,11 @@ STRONGSWAN_CONF_OPT	:= \
>  	--enable-socket-default \
>  	--disable-socket-dynamic \
>  	--disable-socket-win \
> -	--enable-stroke \
> +	--$(call ptx/disen, PTXCONF_STRONGSWAN_SWANCTL)-stroke \
>  	--disable-smp \
>  	--disable-sql \
>  	--disable-uci \
> -	--disable-vici \
> +	--$(call ptx/endis, PTXCONF_STRONGSWAN_SWANCTL)-vici \
>  	--disable-android-dns \
>  	--enable-attr \
>  	--disable-attr-sql \
> @@ -147,8 +152,6 @@ STRONGSWAN_CONF_OPT	:= \
>  	--disable-imv-os \
>  	--disable-imc-attestation \
>  	--disable-imv-attestation \
> -	--disable-imc-swid \
> -	--disable-imv-swid \
>  	--disable-imc-swima \
>  	--disable-imv-swima \
>  	--disable-imc-hcd \
> @@ -174,14 +177,14 @@ STRONGSWAN_CONF_OPT	:= \
>  	--disable-load-tester \
>  	--disable-lookip \
>  	--disable-radattr \
> +	--disable-save-keys \
>  	--disable-systime-fix \
>  	--disable-test-vectors \
>  	--enable-updown \
>  	--disable-aikgen \
> -	--enable-charon \
> +	--$(call ptx/disen, PTXCONF_STRONGSWAN_SWANCTL)-charon \
>  	--disable-cmd \
>  	--disable-conftest \
> -	--disable-dumm \
>  	--disable-fast \
>  	--disable-fuzzing \
>  	--disable-libipsec \
> @@ -190,11 +193,10 @@ STRONGSWAN_CONF_OPT	:= \
>  	--disable-medsrv \
>  	--disable-nm \
>  	--enable-pki \
> -	--enable-scepclient \
> +	--$(call ptx/disen, PTXCONF_STRONGSWAN_SWANCTL)-scepclient \
>  	--enable-scripts \
>  	--disable-svc \
>  	--$(call ptx/endis, PTXCONF_STRONGSWAN_SYSTEMD_UNIT)-systemd \
> -	--disable-swanctl \
>  	--disable-tkm \
>  	--disable-bfd-backtraces \
>  	--disable-dbghelp-backtraces \
> @@ -220,8 +222,12 @@ STRONGSWAN_CONF_OPT	:= \
>  	--disable-defaults \
>  	--enable-dependency-tracking \
>  	--enable-shared \
> +	--$(call ptx/endis, PTXCONF_STRONGSWAN_SWANCTL)-swanctl \
>  	--with-ipseclibdir=/usr/lib \
> -	--with-systemdsystemunitdir=/usr/lib/systemd/system
> +	--with-systemdsystemunitdir=/usr/lib/systemd/system \
> +	--sysconfdir=$(PTXCONF_STRONGSWAN_SYSCONF_DIR)
> +
> +STRONGSWAN_LDFLAGS	:= -Wl,-rpath,/usr/lib/plugins
>  
>  # ----------------------------------------------------------------------------
>  # Target-Install
> @@ -251,12 +257,17 @@ STRONGSWAN_PLUGINS := \
>  	libstrongswan-sha1.so \
>  	libstrongswan-sha2.so \
>  	libstrongswan-socket-default.so \
> -	libstrongswan-stroke.so \
>  	libstrongswan-updown.so \
>  	libstrongswan-x509.so \
>  	libstrongswan-xauth-generic.so \
>  	libstrongswan-xcbc.so
>  
> +ifdef PTXCONF_STRONGSWAN_SWANCTL
> +	STRONGSWAN_PLUGINS += libstrongswan-vici.so
> +else
> +	STRONGSWAN_PLUGINS += libstrongswan-stroke.so
> +endif
> +
>  ifdef PTXCONF_STRONGSWAN_LIBCURL
>  	STRONGSWAN_PLUGINS += libstrongswan-curl.so
>  endif
> @@ -267,6 +278,7 @@ ifdef PTXCONF_STRONGSWAN_AFALG
>  	STRONGSWAN_PLUGINS += libstrongswan-af-alg.so
>  endif
>  
> +
>  $(STATEDIR)/strongswan.targetinstall:
>  	@$(call targetinfo)
>  
> @@ -276,34 +288,51 @@ $(STATEDIR)/strongswan.targetinstall:
>  	@$(call install_fixup, strongswan,AUTHOR,"Christoph Fritz <chf@fritzc.com>")
>  	@$(call install_fixup, strongswan,DESCRIPTION,missing)
>  
> -	@$(call install_alternative, strongswan, 0, 0, 0644, /etc/strongswan.conf)
> -
> -	@$(call install_copy, strongswan, 0, 0, 0755, -, /usr/sbin/ipsec)
> +ifdef PTXCONF_STRONGSWAN_SYSTEMD_UNIT_ENABLE_SERVICE
> +	@$(call install_link, strongswan, ../strongswan.service, \
> +		/usr/lib/systemd/system/multi-user.target.wants/strongswan.service)
> +endif
>  
> -	@$(call install_tree, strongswan, 0, 0, -, /usr/libexec/ipsec)
> +	@$(call install_tree, strongswan, 0, 0, -, /usr/bin)
> +	@$(call install_tree, strongswan, 0, 0, -, /usr/libexec)
> +	@$(call install_tree, strongswan, 0, 0, -, /usr/sbin)
>  
>  	@$(call install_lib, strongswan, 0, 0, 0644, libcharon)
>  	@$(call install_lib, strongswan, 0, 0, 0644, libstrongswan)
>  
>  	@$(foreach plugin, $(STRONGSWAN_PLUGINS), \
> -		$(call install_copy, strongswan, 0, 0, 0644, -, \
> -			/usr/lib/plugins/$(plugin));)
> +	$(call install_copy, strongswan, 0, 0, 0644, -, \
> +		/usr/lib/plugins/$(plugin));)

Keep the indention.

>  
> -ifdef PTXCONF_STRONGSWAN_SYSTEMD_UNIT
> -	@$(call install_alternative, strongswan, 0, 0, 0644, \
> -		/usr/lib/systemd/system/strongswan.service)

This looks wrong. It looks like strongswan.service is not installed any
more.

> -	@$(call install_link, strongswan, ../strongswan.service, \
> -		/usr/lib/systemd/system/multi-user.target.wants/strongswan.service)
> +	@$(call install_alternative, strongswan, 0, 0, 0644,  $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/strongswan.conf)
> +
> +ifdef PTXCONF_STRONGSWAN_SWANCTL
> +	@$(call install_lib, strongswan, 0, 0, 0644, libvici)
> +	@$(call install_tree, strongswan, 0, 0, -, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/strongswan.d)
> +	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/bliss)
> +	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/conf.d)
> +	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/ecdsa)
> +	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/pkcs12)
> +	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/pkcs8)
> +	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/private)
> +	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/pubkey)
> +	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/rsa)
> +	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509)
> +	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509aa)
> +	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509ac)
> +	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509ca)
> +	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509crl)
> +	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509ocsp)
>  endif
>  
> -	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/aacerts)
> -	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/acerts)
> -	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/cacerts)
> -	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/certs)
> -	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/crls)
> -	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/ocspcerts)
> -	@$(call install_copy, strongswan, 0, 0, 0600, /etc/ipsec.d/private)
> -	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/reqs)
> +	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/aacerts)
> +	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/acerts)
> +	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/cacerts)
> +	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/certs)
> +	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/crls)
> +	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/ocspcerts)
> +	@$(call install_copy, strongswan, 0, 0, 0600, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/private)
> +	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/reqs)

see above.

Michael

>  
>  	@$(call install_finish, strongswan)
>  
> -- 
> 2.23.0
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2019-12-05 15:45 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-18 12:45 [ptxdist] [PATCH] strongswan: Version bump 5.6.1 -> 5.8.1 Lars Pedersen
2019-11-19 12:49 ` [ptxdist] [PATCH v2] " Lars Pedersen
2019-11-19 14:56   ` Bruno Thomsen
2019-11-25  6:53   ` Michael Olbrich
2019-11-26 10:21     ` Lars Pedersen
2019-11-28 16:21       ` Michael Olbrich
2019-12-05  9:34 ` Lars Pedersen
2019-12-05 15:45   ` Michael Olbrich

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox